About current front-page troubles on Irrlicht

Discuss about anything related to the Irrlicht Engine, or read announcements about any significant features or usage changes.
Post Reply
CuteAlien
Admin
Posts: 9628
Joined: Mon Mar 06, 2006 2:25 pm
Location: Tübingen, Germany
Contact:

About current front-page troubles on Irrlicht

Post by CuteAlien »

Hi,

I guess some of you noticed by now that http://irrlicht.sourceforge.net/ is currently looking very strange most days. Like new themes or a tiny/puny static website replacement.

Reason is that we got hacked. Are still hacked actually. And every time we enable wordpress (invisible) spam-links are re-introduced to our homepage within 1-2 days. This has been going on since around September, but I only noticed it very recently (I had been lazy and only checked for the same hack we got last time with 0px fonts to hide their links, so I didn't notice they used a new trick for invisible links this time).

Still working on this. Unfortunately takes some time as I'm not very familiar with Wordpress, PHP, SQL-Databases or web-security in general. So all experiments to get rid of hacker for last 2 weeks constantly failed.

Will give more info once I figure out some clue what's going on...
IRC: #irrlicht on irc.libera.chat
Code snippet repository: https://github.com/mzeilfelder/irr-playground-micha
Free racer made with Irrlicht: http://www.irrgheist.com/hcraftsource.htm
MartinVee
Posts: 139
Joined: Tue Aug 02, 2016 3:38 pm
Location: Québec, Canada

Re: About current front-page troubles on Irrlicht

Post by MartinVee »

I had the same problem a while back, and it turned out it was the theme that had an obfuscated line of code that did the injection. Not all themes are created (or distributed) with good intentions.

At the time, I remember looking at Stack Exchange's WordPress community site, and I found a very helpful question. I can't remember if it was exactly this one, but it seems to have very good advices. Be sure to read both answers.

Good luck with that!
CuteAlien
Admin
Posts: 9628
Joined: Mon Mar 06, 2006 2:25 pm
Location: Tübingen, Germany
Contact:

Re: About current front-page troubles on Irrlicht

Post by CuteAlien »

Thanks. I've seen that post on StackExchange actually :-) Unfortunately replacing theme (and re-installing wordpress) didn't solve it. My current suspicion is that the hack might already be stored inside the database and re-loaded from there.
IRC: #irrlicht on irc.libera.chat
Code snippet repository: https://github.com/mzeilfelder/irr-playground-micha
Free racer made with Irrlicht: http://www.irrgheist.com/hcraftsource.htm
MartinVee
Posts: 139
Joined: Tue Aug 02, 2016 3:38 pm
Location: Québec, Canada

Re: About current front-page troubles on Irrlicht

Post by MartinVee »

In the dark like you, but did you try one of the tools from the second answer?
CuteAlien
Admin
Posts: 9628
Joined: Mon Mar 06, 2006 2:25 pm
Location: Tübingen, Germany
Contact:

Re: About current front-page troubles on Irrlicht

Post by CuteAlien »

Not yet. Only tried the manual hunting.
IRC: #irrlicht on irc.libera.chat
Code snippet repository: https://github.com/mzeilfelder/irr-playground-micha
Free racer made with Irrlicht: http://www.irrgheist.com/hcraftsource.htm
Mel
Competition winner
Posts: 2292
Joined: Wed May 07, 2008 11:40 am
Location: Granada, Spain

Re: About current front-page troubles on Irrlicht

Post by Mel »

Pfff.. hacks are a pain in the ass... Check every PHP file you can have access to, they might have an injector segment somewhere, in the begining, in the end... Check the image files, those might go inadvertent because you expect them to be an image and binary, but one of my sites once got hacked with a gif image that had some code in the end, it only had to call that image, as a file stored in the server and the whole effect reappeared. The database is unlikely though, as most files are stored as separate files outside the DB, but who knows... Check the boards as well, as many sites use PHPBB forums and Wordpress portals.

It is too bad that you can't update wordpress often, their devs address these vulnerabilities constantly, something you can't say from the PHPBB guys, but it is what we have... (if these boards could become SimpleMachinesForums boards, maybe things would improve, they keep constantly updated their forums engines as well) Good luck! :/
"There is nothing truly useless, it always serves as a bad example". Arthur A. Schmitt
CuteAlien
Admin
Posts: 9628
Joined: Mon Mar 06, 2006 2:25 pm
Location: Tübingen, Germany
Contact:

Re: About current front-page troubles on Irrlicht

Post by CuteAlien »

Yeah, forum is another potential candidate. Thought it should be separated somewhat from wordpress and there don't seem to be spam-links in the forum yet (unless I missed them). Update of forum also harder, but new phpBB just got releases last week - so might be a good time to update that as well anyway.

There shouldn't be any php file left which wasn't replaced already (new Wordpress install and new theme, but maybe I'm missing stuff as I don't really know exactly how wordpress works yet). Also did all the usual stuff like replacing all passwords. Got the idea with the database from someone who's a little more familiar with that stuff than me. Got also a few more hints, so guess I can still try a few things on the weekend. If all fails - I learned by now it's possible to create static pages from wordpress which would be sufficient for us (would lose "search" feature of old website, not much else probably). Thought that would basically mean ignoring the hack and not fixing the real problem - so not my favorite solution.
IRC: #irrlicht on irc.libera.chat
Code snippet repository: https://github.com/mzeilfelder/irr-playground-micha
Free racer made with Irrlicht: http://www.irrgheist.com/hcraftsource.htm
Vectrotek
Competition winner
Posts: 1087
Joined: Sat May 02, 2015 5:05 pm

Re: About current front-page troubles on Irrlicht

Post by Vectrotek »

The Saints are sorting it..
REDDemon
Developer
Posts: 1044
Joined: Tue Aug 31, 2010 8:06 pm
Location: Genova (Italy)

Re: About current front-page troubles on Irrlicht

Post by REDDemon »

Got the idea with the database from someone who's a little more familiar with that stuff than me
Try a query to search for something that look like links/ HTML/ PHP/JS code in all the tables. Probably better dumping the DB as SQL dump and then use a text editor with advanced search functionality. Usually the hack begins where there is something that isn't escaped properly or if there's a SQL injection... It could be possible that
actually the hack is inside the forum and loaded only to word press from there (I don't know if you are actually using 2 different WWW folders or not, if not, phpBB should be checked too.
Junior Irrlicht Developer.
Real value in social networks is not about "increasing" number of followers, but about getting in touch with Amazing people.
- by Me
CuteAlien
Admin
Posts: 9628
Joined: Mon Mar 06, 2006 2:25 pm
Location: Tübingen, Germany
Contact:

Re: About current front-page troubles on Irrlicht

Post by CuteAlien »

@REDDemon: Yeah, I dumped DB as XML to make searching easier. But... turned out the DB is pretty huge. I tried a few simply searches (mainly with grep), but found nothing obvious. And if the hack is slightly encoded it is pretty impossible to find by hand that way.

But did change some other stuff, like new wordpress just came out last week, so I installed that. So far spam-links not yet back. Not sure if spammer just becomes lazy or if I maybe blocked his access.
IRC: #irrlicht on irc.libera.chat
Code snippet repository: https://github.com/mzeilfelder/irr-playground-micha
Free racer made with Irrlicht: http://www.irrgheist.com/hcraftsource.htm
devsh
Competition winner
Posts: 2057
Joined: Tue Dec 09, 2008 6:00 pm
Location: UK
Contact:

Re: About current front-page troubles on Irrlicht

Post by devsh »

There is no HTTPS /SSL on the forum, if you use the same user and password for the page administration..... passwords go over without strong encryption....

Also Cloudflare had a massive heartbleed-like bug, I dont know if sourceforge sits behind cloudflare but anything over the past few years could have gotten leaked :(
CuteAlien
Admin
Posts: 9628
Joined: Mon Mar 06, 2006 2:25 pm
Location: Tübingen, Germany
Contact:

Re: About current front-page troubles on Irrlicht

Post by CuteAlien »

I never use same password for different services. But since we updated to newer wordpress hacks seem to have stopped.
IRC: #irrlicht on irc.libera.chat
Code snippet repository: https://github.com/mzeilfelder/irr-playground-micha
Free racer made with Irrlicht: http://www.irrgheist.com/hcraftsource.htm
Cube_
Posts: 1010
Joined: Mon Oct 24, 2011 10:03 pm
Location: 0x45 61 72 74 68 2c 20 69 6e 20 74 68 65 20 73 6f 6c 20 73 79 73 74 65 6d

Re: About current front-page troubles on Irrlicht

Post by Cube_ »

how outdated was the old version? I have a cron job to auto-update wordpress with new patches and my website hasn't been hacked (but then again my website is extremely low traffic and for all intents and purposes dead)
"this is not the bottleneck you are looking for"
CuteAlien
Admin
Posts: 9628
Joined: Mon Mar 06, 2006 2:25 pm
Location: Tübingen, Germany
Contact:

Re: About current front-page troubles on Irrlicht

Post by CuteAlien »

At one point we were actually up-to-date with Wordpress versions and still hacked. But a few weeks ago a new Wordpress version came out and after updating to that one it stopped. Thought I changed also a bunch of other stuff additionally.
IRC: #irrlicht on irc.libera.chat
Code snippet repository: https://github.com/mzeilfelder/irr-playground-micha
Free racer made with Irrlicht: http://www.irrgheist.com/hcraftsource.htm
Cube_
Posts: 1010
Joined: Mon Oct 24, 2011 10:03 pm
Location: 0x45 61 72 74 68 2c 20 69 6e 20 74 68 65 20 73 6f 6c 20 73 79 73 74 65 6d

Re: About current front-page troubles on Irrlicht

Post by Cube_ »

hmm, if you were up to date it probably wasn't a security hole with the install itself - maybe some addon or theme or whatnot.
Oh well, since you're no longer hacked that's a good start.
"this is not the bottleneck you are looking for"
Post Reply